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DETAILED ACTION 

1. This action is responsive to communication: filed on 2 August 2006 with original 
application filed 1 1 February 2000. 

2. Claims 1-6 and 9-14 are currently pending in this application. Claims 1, 3, and 5 are 
independent claims. Claims 7 and 8 have been canceled. 

Response to Arguments 

3. Applicant's arguments filed 2 August 2006 have been fully considered but they are not 
persuasive. 

Brief summary of prior art of records: 

Schuba: discloses a method of network protection for denial of service attacks. Specifically 
Schuba teaches the patent in relation to the TCP/IP protocol The Internet Protocol (IP) is the 
standard network layer protocol of the Internet that provides a connectionless, best effort 
delivery service (col. 3, lines 18-21). For any TCP connection, there are memory structures that 
need to allocated by both endpoints . . . three memory structures need to allocated at each 
endpoint . . . There is a limit on the number of concurrent TCP connections that can be in a half- 
open connection state, called the SYN-RECVD state (col. 4, lines 30-65). 
Yavatkar: discloses a method for diagnosing network intrusion. Specifically Yaavatkar teaches 
a watchdog agent that determines congestion by analyzing traffic on a network. 

In response to applicant's argument beginning on page 6, "Schuba does not anticipate 
claim 1 because Schuba does not teach the claimed steps of determining, discarding, and 
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queuing, as claimed ... As proven in the previous response to office action, Schuba instead 
teaches discarding incoming connection requests until the maximum of half-open connections is 
reduced". The Office disagrees with argument, and notes the section of Schuba quoted by 
applicant 'discarding incoming requests until the maximum of half-open connections is reduced' 
is interpreted to have the same meaning as determining. 

In response to applicant's argument beginning on page 7, "Several important differences 
exist between discarding additional connection requests, as in Schuba, and discarding the 
datagram, if the number of connectionless datagrams already queued to the port from the host 
exceeds the prescribed threshold, as recited in claim 1". The Office disagree with argument and 
notes there is no difference between "half open-connections" and the text stated in claim 1 
"connectionless datagrams are received for queuing to a port". Schuba teaches all the limitations 
that are in claims 1,3, 5,7, and 14. 

In response to applicant's argument on page 8, "Schuba only teaches methods for dealing 
with too many half-open connection, which entirely distinct from discarding datagrams queued 
at a port . . . The thrust of Applicants argument is not directed towards splitting fine hairs over the 
meaning of the term "connectionless" or the meaning of the term "queuing the connectionless 
datagram. The thrust of Applicants' arguments is that a fundamental and marked difference exist 
between a queue of connectionless datagrams at a port, as claimed, and a queue of half-open 
connections, as described in Schuba. The Office disagrees with argument to establish a 
connection the standard TCP/IP three-way handshake must occur, that is how a connection is 
established. TCP/IP transfers connectionless datagrams. Discarding datagrams queued at a port, 
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when there are too many half open-connections is the same meaning. Note to queue a port is to 
start communication, which can be termed a half open-connection. 

In response to applicant's argument beginning on page 1 1, "In addition, the proposed 
combination does not teach all of the features of the other dependent claims ... the cited text 
plainly does not teach or suggest configuring a maximum number of connectionless datagrams 
allowed to be queued at the port". The Examiner disagrees and notes that the setting for the port 
that Yavatkar can alter are obviously the maximum number of connections allowed for the port. 
The references should be looked at in combination Schuba teaches that a limit is set by the 
TCP/IP protocol for the maximum number of connections allowed to be established to a port, 
Yavatkar teaches that the operational settings of a port can be altered, these operational settings 
are an obvious variation of the number of connections allowed at a port. 

Claim Rejections - 35 USC § 102 

4. The following is a quotation of the appropriate paragraphs of 35 U.S. C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 
122(b), by another filed in the United States before the invention by the applicant for 
patent or (2) a patent granted on an application for patent by another filed in the United 
States before the invention by the applicant for patent, except that an international 
application filed under the treaty defined in section 351(a) shall have the effects for 
purposes of this subsection of an application filed in the United States only if the 
international application designated the United States and was published under Article 
21(2) of such treaty in the English language 

5. Claims 1, 3, 5, and 14, are rejected under 35 U.S.C. 102(e) as being anticipated by 
Schuba et al. U.S. Patent No. 6,725,378 (hereinafter '378). 
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As to independent claim 1, "A method of preventing a flooding attack on a network 
server" is taught in '378 col. 1, lines 55-60 "the present invention includes a unique defense for 
denial of service attacks"; 

"in which a large number of connectionless datagrams are received for queuing to a 
port on the network server, comprising:" is shown in '378 col. 3, lines 16-33 "The Internet 
Protocol (EP) is the standard network layer protocol of the Internet that provides a 
connectionless, best effort packet delivery service. IP defines the basic unit of the data transfer 
used throughout an IP network, called a datagram. The deliver of datagrams is not guaranteed . . . 
Datagrams are routed towards their destination host" {"connectionless datagrams" same as 
"connectionless, best effort packet delivery service" / "network server" same as "destination 
host"}; 

"determining, in response to the arrival of a connectionles datagram from a host for 
a port on the network server" is disclosed in '378 col. 4, lines 52-54 "When a SYN packet 
arrives at a port on which a TCP server is listening"; 

"if the number of connectionless; datagrams already queued to the port from the 
host exceeds a prescribed threshold discarding the datagram, if the number of 
connectionless datagrams already queued to the port from the host exceeds the prescribed 
threshold" is taught in £ 378 col. 4, lines 54-58 "There is a limit on the number of concurrent 
TCP connections that can be in a half-open connection state, called the SYN-RECVD state (i.e., 
SYN received). When the maximum number of half-open connections per port is reached, TCP 
discards all new incoming connections requests"; 
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"and queuing the connectionless datagram to a queue slot of the port, if the number 
of connectionless, datagrams already queued to the port from the host does not exceed the 
prescribed threshold" is taught in '378 col. 4, lines 59-67 "until it has either cleared or 
completed some of the half-open connections". 

As to independent claim 3, this claim is directed to the apparatus of the method of claim 
1 and is similarly rejected along the same rationale 

As to independent claim 5, this claim is directed to a storage media containing program 
code of the method of claim 1 and is similarly rejected along the same rationale. 

As to dependent claim 14, "wherein the computer is the network server" is taught in 
'378 col. 4, line 52 through col. 5, line 17. 

Claim Rejections - 35 USC § 103 

6. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or 
described as set forth in section 102 of this title, if the differences between the subject 
matter sought to be patented and the prior art are such that the subject matter as a whole 
would have been obvious at the time the invention was made to a person having ordinary 
skill in the art to which said subject matter pertains. Patentability shall not be negatived 
by the manner in which the invention was made. 

7. Claims 2, 4, 6, and 9-13, are rejected under 35 U.S.C. 103(a) as being unpatentable over 
'378 in further view of Yavatkar et al. U.S. Patent No. 6,735,702 (hereinafter '702). 

As to dependent claim 2, the following is not taught in '378 "wherein the determining 
if the number of datagrams already queued to the port from the host exceeds a prescribed 
threshold further comprises: calculating the prescribed threshold by multiplying a 
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percentage by the number of available queue slots for the port" however '702 teaches "A 
watchdog agent may assume a network attack exist if network congestion is detected ... In an 
alternate embodiment a watchdog agent detects network congestion by monitoring interface 
discard counts and average queue lengths for each port on the node" in col. 15, line 63 through 
col. 16, line 17. 

It would have been obvious to one of ordinary skill in the art at the time of the invention 
to modify the teachings of '378 a method to protect a network from denial of service attacks to 
include a means to calculate the threshold limit per port. One of ordinary skill in the art would 
have been motivated to perform such a modification in order to gain information needed to 
diagnose a network attack (see '702 col. 2 lines 44 et seq.) "Therefore there exists a need for a 
system and method allowing for the distributed state of a network such as information about 
attack traffic, to be quickly and accurately collected. A system and method are needed for 
quickly and accurately diagnosing network attacks by determining information such as the 
source of, or a partial path of, attack traffic". 

As to dependent claim 4, this claim incorporate substantially similar subject matter as in 
cited in claim 2 above and is rejected along the same rationale. 

As to dependent claim 6, this claim incorporate substantially similar subject matter as in 
cited in claim 2 above and is rejected along the same rationale. 

As to dependent claim 9, "further comprising: configuring a maximum number of 
connectionless, datagrams allowed to be queued at the port" is taught in '702 col. 12, lines 
27-39 "In step 440, proactive environment 100 instantiates service object 300 based on the class 
of service 102. Proactive environment 100 configures service object 300 per the permissioning 



Application/Control Number: 09/503,608 Page 8 

Art Unit: 2134 

accessed in step 434. For example, one set of permissioning may allow agent 1 10 to use service 
object 300 to read the operating characteristics of port 21 and alter settings for the port". 
As to dependent claim 10, "wherein the configuring step further includes 

configuring a controlling percentage of available queue slots remaining for the port; and 

wherein the proscribed threshold is based on the controlling percentage of available queue 

slots remaining for the port" is shown in '702 col. 12, lines 27-39. 

As to dependent claim 11, "wherein the port comprises a plurality of queue slots the 

method further comprising: maintaining a number of available queue slots of the plurality 

of queue slots for the port" is disclosed in '702 col. 12, 

lines 27-39. 

As to dependent claim 12, this claim incorporate substantially similar subject matter as 
in cited in claim 9 above and is rejected along the same rationale. 

As to dependent claim 13, this claim incorporate substantially similar subject matter as 
in cited in claim 10 above and is rejected along the same rationale. 

Conclusion 

THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as 
set forth in 37 CFR 1 .136(a). A shortened statutory period for reply to this final action is set to 
expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed 
within TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened 
statutory period will expire on the date the advisory action is mailed, and any extension fee 
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pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of the advisory action. In 
no event, however, will the statutory period for reply expire later than SIX MONTHS from the 
mailing date of this final action. 



examiner should be directed to Ellen C Tran whose telephone number is 
(571) 272-3842. The examiner can normally be reached from 6:00 am to 2:30 pm. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, 
Jacques H. Louis- Jacques can be reached on (571) 272-6962. The fax phone number for the 
organization where this application or proceeding is assigned is (571) 273-8300. 
Information regarding the status of an application may be obtained from the Patent Application 
Information Retrieval (PAIR) system. Status information for published applications may be 
obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private 
PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 



8. 
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